The Payment Card Industry Data Security Standard (PCI DSS) is a crucial rule to remember in contact centre governance. It provides guidelines on how to avoid customer payment data exposure and protect against breaches. 83% of contact centres in a recent survey admitted there was room for improvement in their efforts towards customer privacy and data safety. One of the best ways to achieve this is by ensuring PCI DSS compliance.
Here is a quick breakdown of how much it would cost.
Factors Determining PCI DSS Compliance Costs
There are a number of variables that will determine how much your organisation has to shell out for reaching PCI DSS compliance and demonstrating it through a post-audit certification. This number will depend on:
- The size of your organisation – Depending on your workforce, the number of transactions processed and the complexity of your IT landscape, PCI DSS compliance can cost anywhere between $500-$50,000 per year
- The kind of audit required – Audits can happen in a number of ways, including self-assessments, and on-site audits by a Qualified Security Assessor (QSA)
- Infrastructure and training remediation costs – based on audit results, you might have to upgrade your hardware and software as well as address any security skill gaps in your workforce
- Optional third-party consultancy – Whether you hire in-house PCI DSS experts or opt for an external consultant will also factor into your total costs
Let us now look at the cost estimates for organisations of different types.
How Much Will PCI DSS Compliance Cost Your Organisation?
Small businesses with less than 20,000 online transactions a year, fall under the Level 4 category. For these companies, self-assessment is good enough, although you need quarterly vulnerability scans by an Approved Scanning Vendor (ASV). Add to this the cost of remediation and user training, and you have to invest at least $75 a month, to achieve and maintain compliance.
Level 3 companies, however, conduct 20,000-1,000,000 transactions annually. The PCI DSS requirements are the same as above, but due to the larger infrastructure and workforce size, costs will be around $1200+ per year.
Level 2 companies with 1-6 million transactions a year must undergo robust penetration testing in addition to the previously stated requirements. This adds up to at least $10,000 a year for the organisation.
Finally, Level 1 companies face the greatest compliance burden of all requiring PCI-certified technology components, an on-site audit by a QSA, and detailed documentation of data security procedures and encryption. This is because Level 1 companies process over 6 million transactions annually, or has faced a data breach in this past. PCI DSS compliance costs, in such scenarios, start at $50,000 a year.
What is the Cost of Not Investing in PCI DSS?
While the costs can seem formidable, it is not advisable for any organisation to go without PCI DSS compliance. Failure to demonstrate compliance and data breaches that take place because of it can incur penalties/fines to the tune of $500,000 and above, which could cripple a small-to-mid-sized business.